So a friend of mine had her system infected with the delsim dialer trojan, who knows from where. The trojan was so aggressive that it pretty much caused all internet activity to be shut down as a result of maybe 80 or so continuous TCP connections to random IPs on port 135.
“start->run->cmd->netstat -an” returned almost 80 results originating from pseudo-random ports on the source system (her old Celeron 400MHz…lol). So, digging around i found some pretty good advice on how to rid yourself of this, and other, trojans.
Avast! is a free, open source virus scanner that will scan your system for trojans and other bad stuff on boot. Apparently my friend had some hack at her place a few days ago trying to ‘clean out’ old stuff; who knows what impact that had … i’m assuming he did some good. The kicker was a story I heard from her mother, who had recently clicked a malicious link through Yahoo! IM (or one of the other IM services, forgot exactly which one). Anyway, this link installed a dialer which was phoning home to whatever IP it was programmed to send to and doing god knows what.
Inspecting the outgoing packets with Ethereal (is it called Wireshark now?) didn’t show much of a payload, so that’s a good thing. At least it wasn’t sending a lot of personal information back to the home server. Wait … now that i think about it, it actually could have been sending just that, but obfuscating it and separating the data into smaller bits. I didn’t exactly want to delve that deeply into the mystery, as I had limited time.
Anyway, I first had to wrestle with Windows Firewall in XP. The options were greyed out and it said “For your security, some settings are controlled by Group Policy”. This of course is absolute bullshit. By allowing the firewall to be disabled by a program without any authentication or prejudice, you are allowing dialers and trojans to grey out options and print this whopper of a line from Microsoft when you try to re-enable it.
So I hacked through the Group Policy using some instructions from this website, and set “Windows Firewall: Protect all network connections” to Enabled for all applicable Group Policy entries. Good times.
I also blocked all incoming and outgoing connections to port 135 using the IPSec configuration tool (“ipseccmd.exe”, downloadable by doing a Google search and finding it…lol). 135 is a port used by DCOM and the RPC End Point Mapper, which I’m guessing the dialer was using to communicate whatever devious things it wanted to foreign servers. I’ll be interested to see which applications stop working as a result … maybe MSN Messenger? Either way, I fixed the major problem, which was a loss of all internet connectivity, so this particular troubleshooting incident will most likely be an iterative one.
After installing Avast!, blocking port 135, and enabling Windows Firewall, I answered “Yes” the option to do a boot-time scan and restarted. The scan found over 10 trojans and deleted them all.
After the scan all was well. IE as well as Firefox were working as expected again, and a “netstat -an” returned nothing suspicious, with no port 135s anymore.
Other references:
Spyware and Adware removal – http://www.precisesecurity.com/adware-spy/delsim.htm
Windows Firewall options are greyed out – http://windowsxp.mvps.org/resetfwpol.htm
